How to Actually Get Rid of Data (So It Can’t Come Back to Bite You)
ISO 27001 Control 8.10 Information deletion is about making sure that when information has reached the end of its useful life, it’s properly gone – not just “out of sight”.
Soft-deleting records in an app, dragging files to the recycle bin, or “we’ll keep it just in case” thinking all increase your risk surface. Old data tends to be:
- Poorly understood
- Poorly protected
- Highly interesting to attackers and regulators
Control 8.10 expects you to delete information in a planned, verifiable way, based on retention rules, legal requirements, and business need.
This guide walks through what ISO 27001 Control 8.10 is really asking for and how to build a practical, auditable information deletion approach across on-premises systems, devices, and cloud services.
What ISO 27001 Control 8.10 Actually Requires
In plain English, ISO 27001 Control 8.10 – Information deletion expects you to:
- Delete information securely when it’s no longer needed.
- Make sure deletion is driven by retention rules, not random decisions.
- Use deletion methods that are appropriate to the storage technology and risk.
- Cover all locations where information lives: production systems, logs, backups, archives, devices, and cloud.
- Be able to show what you did (evidence, logs, contracts with providers).
It’s closely linked to:
- Your data retention schedule (how long you keep different types of information)
- Legal and regulatory requirements (e.g. tax law, employment law, GDPR, sector rules)
- Other controls like storage media handling, secure disposal, access control, and backup management
The main idea: if you don’t need it, either delete it securely or have a very good reason for keeping it.
Step 1 – Start with a Clear Information Deletion Policy
ISO 27001 Control 8.10 lives or dies on how well it’s anchored in your data lifecycle.
You should:
- Define when information should be deleted
– Link deletion triggers to your retention schedule: by record type, system, and legal requirement.
– Cover structured data (databases), unstructured data (files, emails), and application-level data. - Assign responsibilities
– Who owns the retention rules?
– Who is responsible for implementing deletion in systems?
– Who approves exceptions to normal deletion? - Include third parties
– Require service providers (including cloud and SaaS vendors) to support your deletion requirements.
– Make secure deletion part of contracts and data processing agreements. - Integrate with lifecycle processes
– New systems and services should not go live until you’ve decided:- How long data will be kept
- How it will be deleted
- How deletion will be evidenced
Put this into a short, pragmatic Information Deletion Policy that’s referenced from your retention schedule and your asset/register of processing activities.
Step 2 – Choose Appropriate Deletion Methods for Each Storage Type
Not all storage is equal. ISO 27001 Control 8.10 expects you to match the deletion method to the technology and risk level.
Common options:
- Logical deletion (application-level delete)
– Useful as a first step (e.g. “soft delete” flags), but not sufficient on its own for high-risk data.
– Should be paired with eventual physical deletion according to retention rules. - Secure overwriting
– Overwriting data with known patterns or random data.
– More relevant for certain types of storage and scenarios where media is reused internally. - Cryptographic erasure
– If data is encrypted at rest with unique keys, securely deleting the keys can render the data effectively unrecoverable.
– Very useful in cloud and virtualised environments. - Secure deletion tools
– Certified wiping tools for disks and removable media.
– Ideal when reassigning kit inside the organisation. - Physical destruction
– Shredding, degaussing, crushing or incinerating storage media.
– Most appropriate for end-of-life media holding highly sensitive or regulated information. - Mobile and endpoint resets
– Factory resets combined with ensuring that device-level encryption keys are wiped.
– Managed via MDM where possible, with records of reset/wipe events.
The key for ISO 27001 Control 8.10 is that you can explain why you chose a particular method for a particular context, and show that it aligns with the risk.
Step 3 – Build Deletion into Systems and Business Processes
Ad-hoc, manual deletion doesn’t scale. Control 8.10 expects you to embed deletion into system behaviour and everyday processes.
You should:
- Automate where possible
– Configure applications and databases to purge records after the retention period expires.
– Use lifecycle policies on file stores (e.g. move to archive, then delete).
– Apply retention and deletion policies in email and collaboration tools. - Cover temporary and derivative data
– Logs, caches, exports, test data, and ad-hoc copies are often forgotten.
– Make sure these are either:- Included in the retention schedule, or
- Automatically rolled and deleted after a set period.
- Log deletion activity
– For higher-risk data, log who/what deleted it, when, and by which mechanism.
– Use these logs in audits and, where needed, as evidence for regulators or clients. - Handle backups deliberately
– Deletion from live systems doesn’t instantly remove data from backups.
– Define how long backups are kept and how they are disposed of.
– Be clear about what you can and can’t realistically do regarding “right to be forgotten” in backup sets – and document that position.
This is where ISO 27001 Control 8.10 stops being theoretical and shows up in real system configuration.
Step 4 – Make Cloud and SaaS Deletion Explicit
Cloud and SaaS are often where deletion gets fuzzy. Control 8.10 expects you to understand and manage how your providers delete data.
Key actions:
- Review provider documentation
– How do they handle data deletion, versioning, and backups?
– How quickly is data actually removed from primary and secondary storage? - Bake requirements into contracts
– Require secure deletion at the end of retention and on contract termination.
– Ask for assurances on:- Replicated data
- Snapshots
- Logs and metadata
- Use provider features
– Enable retention policies and automatic deletion for objects, mailboxes, logs and backups.
– Configure “hard delete” timelines where appropriate rather than keeping everything indefinitely. - Request evidence where needed
– For higher-risk datasets, you may want written confirmation or audit reports (e.g. SOC 2, ISO 27001) covering deletion controls. - Plan for exit
– When you leave a provider, ensure your contract requires:- Return or export of your data in a usable format
- Secure deletion of remaining copies within agreed timescales
- Confirmation that this has been completed
This lets you demonstrate that ISO 27001 Control 8.10 extends beyond your own data centre or office.
Step 5 – Link Information Deletion to Device and Media Disposal
Control 8.10 overlaps heavily with your equipment and media disposal controls.
You should ensure that:
- Device reassignment
– Before laptops, phones, or workstations are reissued internally, user data is securely wiped.
– Standard build images are applied and verified. - End-of-life hardware
– Storage media is securely wiped or physically destroyed based on sensitivity and risk.
– Certificates of destruction or equivalent evidence are kept when using third-party disposal firms. - Removable media
– USB drives, SD cards and portable disks are either:- Securely wiped and tracked for reuse, or
- Physically destroyed when no longer needed.
- Alignment with your deletion policy
– Device and media processes should reference your Information Deletion Policy so that technical controls match the retention and deletion expectations for the data stored on them.
That way, an auditor looking at ISO 27001 Control 8.10 and your equipment/media controls sees one coherent story, not a patchwork.
Step 6 – Evidence, Oversight and Compliance
Control 8.10 also cares about governance – not just “do you delete?” but “can you prove you delete in line with your own rules and the law?”.
You should:
- Maintain records of key deletions
– Especially for high-risk systems, bulk deletions, or end-of-service events.
– Keep logs for a reasonable period for audit and investigations. - Review deletion processes periodically
– Are retention rules still correct?
– Are automated deletions happening as expected?
– Are any systems or data types “orphaned” – kept forever because nobody owns them? - Train staff on deletion responsibilities
– So they understand that “delete” in an application might not mean “gone forever”, and when they should request formal secure deletion.
– Help them recognise when they are creating new copies (exports, spreadsheets, email attachments) that must follow the same rules. - Align with data protection law
– Make sure your deletion approach supports:- Regulatory retention requirements (e.g. minimum retention for tax, employment, safety)
- Data minimisation principles
- Data subject rights (e.g. erasure requests), as far as technically and legally possible
This turns ISO 27001 Control 8.10 into something you can defend to auditors, regulators and customers.
Step 7 – Use Automation and Tooling Sensibly
Automation can make ISO 27001 Control 8.10 much easier to operate – as long as it’s well understood and tested.
Useful capabilities:
- Data governance tools
– Classify data and apply retention/deletion policies at scale.
– Identify ROT (redundant, outdated, trivial) data that can be removed safely. - Scheduled deletion jobs
– Automated scripts and jobs to purge old records, emails, files and logs.
– Built-in reporting so you can see what was deleted and when. - Workflow for approvals
– For high-impact deletions (e.g. large datasets or critical systems), automated workflows that require approvals and record decisions. - Dashboards and reporting
– Central visibility of deletion status across key systems and repositories.
– Alerts where deletion jobs fail or can’t process certain records.
Whatever automation you introduce, make sure:
- It’s documented and owned.
- It’s tested, including error handling and fail-safe behaviour.
- It’s updated when your retention rules or systems change.
Quick Implementation Checklist for ISO 27001 Control 8.10
Use this to benchmark your information deletion approach:
- ISO 27001 Control 8.10 (Information deletion) is covered in a formal policy linked to your retention schedule.
- Responsibilities for defining, implementing and approving information deletion are clearly assigned.
- Appropriate deletion methods (overwriting, cryptographic erasure, secure wipe, physical destruction) are defined for each storage type.
- Systems are configured to delete or purge data automatically in line with retention rules, including logs and temporary data.
- Backups and archives have defined retention periods and end-of-life deletion processes.
- Cloud and SaaS providers’ deletion mechanisms are understood, contractually addressed and, where needed, evidenced.
- Device and media disposal processes include secure information deletion before reuse or destruction.
- Deletion activities are logged or evidenced where risk justifies it, and records are retained for audit.
- Staff are trained on secure deletion practices and the risks of improper disposal.
- Deletion processes are reviewed periodically and updated when systems, laws or business needs change.
Bringing It All Together
ISO 27001 Control 8.10 – Information deletion – is about making sure that “we don’t use that data any more” actually means “we’ve securely deleted it”, not “it’s still sitting around on a server somewhere”.
If you:
- Tie deletion to clear retention rules,
- Choose the right deletion methods for each environment,
- Embed deletion into your systems and contracts, and
- Keep evidence and oversight of what’s happening,
you’ll reduce your exposure to data breaches, regulatory scrutiny, and messy legacy systems – and you’ll be in a strong position to show auditors that information deletion under ISO 27001 Control 8.10 is deliberate, controlled and effective.
Explore the ISO 27001 Control Group Purposes